Monday, June 13, 2005

Hey - that's my money!

People are stupid. Hopefully I'm bright enough to realize that this statement also applies to myself and keep a look-out for some inane action before I compromise anything of importance. I doubt it - after all, one of the hallmarks of incompetence is the inability to recognize it in oneself. So I can, not being able to know, relax and focus instead on the stupidity of others.

They tried to steal my money. Not that much - only about USD $3,500. Nothing earth shattering, but certainly enough to be an inconvenience. This was done on the sole credit card I have to my name - which, fortunately for me, I keep at a $1,000 limit and have no plans of expanding. There were 2 attempted fraudulant charges, both well beyond the actual cap that I maintain regardless of the fact that I already had $200 on the thing anyway.

But still, quite the inconvenience to find out about this when I try to gas up on the way home. I have gotten rather used to the convenience of swiping the little plastic for just about everything (which then drafts off the general ledger according to my accounting). That night I received a call asking if the 2 large charge attempts at an out-of-state jewelry (an easily liquidated item) store were mine, making me aware of the reason for the malfunction at the pump. Cancel the cards, get them replaced, and life is good until it happens again.

We know where our cards are at all times. We do very limited shopping on line, and that under close technical scrutiny - I've programmed these systems myself for long enough to know what I'm doing an that Inter-web thing. So how did they get the number? I can think of a few different ways.

Easiest: have a dishonest employee copy it off the receipts. Happens all the time, I'm sure. Sell this on the underground to distance yourself from the trail, and make a little cash on the side.

Next in line: Cracked online database - similar to above. We try to make sure that the vendors we patronize do not retain this information, but I don't trust any of them 100%.

Moving along: Man in the middle attack. Against an SSL transaction this is unlikely, and typically not worth the effort unless you know your mark well enough to know they've got deep pockets. Multiple systems would have to be compromised in sequence to make this a reality.

Another possibility: Eaves-dropping. I might have used my credit card number on the phone once when talking with the bank, whilst in my office here at work. I highly doubt this one. Although I did manually enter it into the telephone pad when purchasing movie tickets, so if anyone has tapped that line and added a DTMF decoder they're sitting on a good incoming source of numbers for people who likely have disposable income.

Automatic generation: brute force is hardly worth it when there are so many other ways to get numbers. Can still be done though - and it's possible to at least do a preliminary check against the verification algorithm before any charge attempt is made (thereby communicating with the actual server). The expiration date can be a mystery to this method, but there are vendors who won't check that.

Mail Fraud! Everybody's doing it. One of the questions we were asked was "Did you receive the courtesy checks that you were sent?" These are special paper checks that draft directly against the credit card for some reason. Presumably because some specialty vendors or mom & pop shops lack the merchant account capability to take the cards directly, or that some places prefer check (and thus offer discounts) over credit based on the mitigation of credit card processing fees and overhead. We did not receive our checks, so this is the most likely scenario this time around. Worst of all, we didn't even know they were coming, and had no notice or forewarning before the problem was manifest.

I'm more careful about what I put out in the mail now, and am more likely to use postal boxes as drop-offs than my own at the end of the street. And I shred anything sensitive before disposal. And I've requested that the bank never send me any of those things ever again - but still don't trust them.

No harm was done this time around, other than having to go into a few automated billing arrangements and twiddle the bits to something new. You want the old number? It was 4768 0001 9072 0619. Not that it will do any good, since it's been shut-down already and any attempted use under the fraudulent status would draw attention to your activity if the FBI is doing its job.

Now that the dust has settled, I can get back to everything else it is that I normally ignore until it's a problem (stupid reticular activating system).

Oh - and the new cards came via mail. Standard USPS. Sheesh.

- Paul

No comments: